L-Forum Vulnerability - SQL Injection

From: Matthew Murphy (mattmurphyat_private)
Date: Tue Aug 13 2002 - 19:53:04 PDT

Next message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: Cisco Content Service Switch 11000 Series Web Management Vulnerability"

Previous message: Matthew Murphy: "L-Forum Vulnerability - SQL Injection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have discovered an SQL injection flaw in L-Forum which has
a recent record (upload spoofing/XSS by Ulf) of security bugs.

The problem this time is search.php.  It doesn't properly escape
the SQL data passed in by the user in the search member.  I
have provided a SourceForge patch for this vulnerability.  I
have shown URLs that exploit this:

Postgres:

http://localhost/search.php?search=a%27%20order%20by%20time%20desc%3b%20[que
ry]

MySQL:

http://localhost/search.php?search=a%25%27%20order%20by%20time%20desc%3b%20[
query]

I've patched this on SourceForge:

http://sourceforge.net/tracker/download.php?group_id=53716&atid=471341&file_
id=29026&aid=594867

"The reason the mainstream is thought
of as a stream is because it is
so shallow."
                     - Author Unknown

Next message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: Cisco Content Service Switch 11000 Series Web Management Vulnerability"
Previous message: Matthew Murphy: "L-Forum Vulnerability - SQL Injection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 14 2002 - 14:05:35 PDT